US20080222716A1 - COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM - Google Patents
COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM Download PDFInfo
- Publication number
- US20080222716A1 US20080222716A1 US12/042,752 US4275208A US2008222716A1 US 20080222716 A1 US20080222716 A1 US 20080222716A1 US 4275208 A US4275208 A US 4275208A US 2008222716 A1 US2008222716 A1 US 2008222716A1
- Authority
- US
- United States
- Prior art keywords
- line
- connection destination
- destination device
- ipsec
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0811—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/28—Routing or path finding of packets in data switching networks using route fault recovery
Definitions
- the present invention relates to a communication system and an IPsec tunnel termination device, as well as an IPsec tunnel communication continuation method used for them and its program, and more particularly to a method for continuing IPsec tunnel communication when a line failure occurs in an IPsec (Internet Protocol security protocol) tunnel termination device.
- IPsec Internet Protocol security protocol
- FIG. 7 is a diagram illustrating the configuration of a typical conventional communication system in which an IPsec tunnel to a connection source device is terminated at a connection destination device.
- IPsec tunnels 91 and 92 are provided redundantly to support line redundancy as shown in FIG. 7 .
- the connection destination device 6 comprises a line (A) 61 , a line (B) 62 , an SAD (Security Association Database)-A 63 and an SAD-B 64 in which IPsec connection (Security Association) information is stored, a switch unit 65 , and a control unit 66 .
- the connection source device 8 comprises an SAD-a 81 and an SAD-b 82 .
- connection destination device 6 address A and address B are assigned, respectively, to the line (A) 61 and line (B) 62 . So, the connection source device 8 establishes, communicates via, or disconnects the IPsec tunnel 91 and 92 using address A of the line (A) 61 and address B of the line (B) 62 as the address of the connection destination device 6 (for example, see Patent Document 1).
- connection source device 8 when line redundancy is supported, the connection source device 8 must set up IPsec tunnels, one for each redundant lines, because an address is assigned to each line.
- connection source device 8 and the connection destination device 6 must have SADs (SAD-A 63 and SAD-B 64 in connection destination device 6 , and SAD-a 81 and SAD-b 82 in connection source device 8 ), one for each IPsec tunnel.
- a still another problem with the conventional communication system is that the switch unit 65 and the control unit 66 must be installed in the connection destination device 6 to select an IPsec tunnel to be used and to control the selected IPsec tunnel. This problem applies also to the connection source device 8 .
- a still another problem with the conventional communication system is that, because the IPsec tunnels are switched when a line failure occurs in the connection destination device 6 , the SADs in the connection source device 8 and the connection destination device 6 (SAD-A 63 and SAD-a 81 , SAD-B 64 and SAD-b 82 ) must also be switched (exchanged). This means that the connection source device 8 and the connection destination device 6 must synchronize with each other in switching the SADs.
- connection source address When communication is performed with an IPsec tunnel established, there is a one to one correspondence between the connection source address and the connection destination address.
- connection destination addresses When line redundancy is supported for increasing the reliability of a connection destination device, two or more connection destination addresses, one for each redundant line, are required. This means that there is a one to N correspondence between the connection source address and the connection destination address.
- addresses are required for the connection destination lines, one for each, and the IPsec tunnels must also be provided redundantly.
- both the connection source device and the connection destination device must have SADs (redundantly), one for each connection destination line.
- connection source device and the connection destination device must be switched (exchanged) and, so, the connection source device and the connection destination device must synchronize with each other in switching the SADs.
- an object of the present invention is to provide a communication system and an IPsec tunnel termination device, as well as an IPsec tunnel communication continuation method for them and its program, for allowing a connection source device to establish, communicate, or disconnect an IPsec tunnel to a connection destination device with no concern about a line used by the connection destination device or about the line redundancy.
- a communication system is a communication system in which an IPsec (Internet Protocol security protocol) tunnel to a connection source device is terminated at a connection destination device, wherein
- IPsec Internet Protocol security protocol
- connection destination device comprises:
- virtual line means that specifies one of the plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address of the connection destination device; and wherein the address of the connection destination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
- An IPsec tunnel termination device is an IPsec termination device that terminates an IPsec tunnel, comprising:
- virtual line means that specifies one of the plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address wherein the address of the IPsec termination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
- An IPsec tunnel communication continuation method is an IPsec tunnel communication continuation method for use in a communication system in which an IPsec tunnel to a connection source device is terminated at a connection destination device wherein
- connection destination device notifies to an external device that a physical line, which is specified using virtual line means that specifies one of a plurality of physical lines as an active line to be used for communication, is of a pre-assigned address of the connection destination device and
- the address of the connection destination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
- a program according to the present invention is a program which is executed in an IPsec termination device that terminates an IPsec tunnel and which is executable by a computer, the program including the process of:
- redundant IPsec Internet Protocol security protocol
- redundant lines are provided in the connection destination device. So, even when a line failure occurs, the IPsec tunnel can be established or disconnected or an IPsec tunnel, established before the occurrence of the line failure, can be used continuously.
- the address of the connection destination device is assigned, not directly to a physical line such as line A, but to the virtual line unit so that it appears to an external device that the address is assigned to the activated line.
- This eliminates the need for setting multiple connection destination addresses and for creating multiple IPsec tunnels between the connection source device and the connection destination device, one for each redundant line.
- the communication system of the present invention eliminates the need for both the connection source device and the connection destination device to have SADs (Security Association Databases).
- the active line of the connection destination device is switched to another line when a line failure occurs in the connection destination device. So, the IPsec tunnel established before the error can be used continuously.
- the address of the termination device is assigned, not directly to the lines, but to the virtual line unit as described above, so that it appears to an external device that the address of the termination device is assigned to the active line. So, even when a line failure occurs, the IPsec tunnel can be established or disconnected or an IPsec tunnel, established before the line failure, can be used continuously.
- the connection destination device that terminates the IPsec tunnel assigns the address X of the connection destination device to the virtual line unit in response to an instruction from the control unit.
- the address X is an address assigned to a physical line such as line A.
- the virtual line unit In response to an instruction from the control unit, the virtual line unit specifies line A as an active line to be used for communication. To make it appear to an external device that the address X is assigned to line A, the virtual line unit notifies a preceding-stage device that line A has the address X, and the setting of the address X of the connection destination device is completed.
- the establishment, communication, or disconnection of the IPsec tunnel from the connection source device to the connection destination device is performed using line A that has the address X of the connection destination device.
- the control unit requests the virtual line unit to switch the active line from line A to line B and, in response, the virtual line unit sets line B as an active line to be used for communication.
- the virtual line unit notifies the preceding-stage device that line B has the address X. Thereafter, the establishment, communication, or disconnection of the IPsec tunnel from the connection source device to the connection destination device is performed using line B that has the address X of the connection destination device.
- connection source device If it appears to the connection source device that the address X of the connection destination device is assigned to one of line A and line B of the connection destination device, the connection source device can establish, communicate, or disconnect the IPsec tunnel to the connection destination device.
- the communication system of the present invention assigns the address of the connection destination device, not directly to a physical line such as line A, but to the virtual line unit. In this way, the communication system implements line redundancy by making it appear to an external device that the address is assigned to an active line.
- connection source device can establish or disconnect the IPsec tunnel or can continue the communication where the IPsec tunnel, established before the line failure was generated, is used.
- the present invention which has the configuration described above and performs the operation as described above, achieves an effect that the connection source device can establish, communicate, or disconnect the IPsec tunnel to the connection destination device with no concern for the line used in the connection destination device or for line redundancy.
- FIG. 1 is a block diagram showing the configuration of a communication system in one example of the present invention.
- FIG. 2 is a diagram showing the operation of a connection destination device in one example of the present invention.
- FIG. 3 is a diagram showing the operation of the connection destination device in one example of the present invention.
- FIG. 4 is a flowchart showing the active line setting operation of the connection destination device in one example of the present invention.
- FIG. 5 is a flowchart showing the active line setting switching operation performed by the connection destination device when a line failure occurs in one example of the present invention.
- FIG. 6 is a block diagram showing the configuration of a connection destination device in another example of the present invention.
- FIG. 7 is a block diagram showing the configuration of a communication system of a related art.
- FIG. 1 is a block diagram showing the configuration of a communication system in one example of the present invention.
- the communication system in one example of the present invention comprises a connection destination device 1 , a preceding-stage device 2 , and a connection source device 3 .
- the connection destination device 1 comprises a line (A) 11 , a line (B) 12 , a virtual line unit 13 , a SAD (Security Association Database) 14 in which IPsec connection (Security Association) information is stored, and a control unit 15 .
- the line (A) 11 and the line (B) 12 are physical lines, the addresses are not assigned directly to those lines in the connection destination device 1 .
- the address of the connection destination device 1 is assigned to the virtual line unit 13 .
- the virtual line unit 13 has an interface (I/F) not only with the line (A) 11 , line (B) 12 , and control unit 15 , but also with the SAD 14 .
- the virtual line unit 13 specifies the physical line (A) 11 or physical line (B) 12 as an active line that will be used for communication.
- the virtual line unit 13 has the function to notify the preceding-stage device 2 that the line (A) 11 or the line (B) 12 has the address X.
- the SAD 14 a Security Association Database for the IPsec (Internet Protocol security protocol), identifies an address, assigned to the virtual line unit 13 , as the connection destination device address.
- IPsec Internet Protocol security protocol
- the control unit 15 has the function to assign an address to the virtual line unit 13 and to specify which line, line (A) or line (B) 12 , the virtual line unit 13 is to activate.
- FIG. 2 and FIG. 3 are diagrams showing the operation of the connection destination device 1 in one example of the present invention.
- FIG. 2 shows the operation in which the line (A) 11 is set as an active line
- FIG. 3 shows the operation in which the active line is switched from the line (A) 11 to the line (B) 12 .
- the following describes the operation of the connection destination device 1 in one example of the present invention with reference to FIG. 1 to FIG. 3 .
- the control unit 15 assigns a connection destination device address to the virtual line unit 13 .
- the virtual line unit 13 sets the line (A) 11 as an active line that will be used for communication and, to make it appear to an external device that the connection destination device address is assigned to the line (A) 11 , notifies the preceding-stage device 2 that the line (A) 11 is the connection destination device address. Thereafter, the line (A) 11 is used to establish, communicate, and disconnect an IPsec tunnel 16 from the connection source device 3 to the connection destination device 1 .
- control unit 15 executes a switching request to the virtual line unit 13 to switch the active line from the line (A) 11 to the line (B) 12 .
- the virtual line unit 13 sets the line (B) 12 as an active line. To make it appear to an external device that the connection destination device address is assigned to the line (B) 12 , the virtual line unit 13 notifies the preceding-stage device 2 that the line (B) 12 is the connection destination device address. Thereafter, the line (B) 12 is used to establish, communicate, and disconnect an IPsec tunnel 16 from the connection source device 3 to the connection destination device 1 .
- FIG. 4 is a flowchart showing the active line setting operation of the connection destination device 1 in one example of the present invention
- FIG. 5 is a flowchart showing the active line setting switching operation of the connection destination device 1 in one example of the present invention when a line failure occurs.
- the following describes the operation of the connection destination device 1 in one example of the present invention with reference to FIG. 1 to FIG. 5 .
- the processing shown in FIG. 4 and FIG. 5 is implemented when the CPU (central processing unit) (not shown), one of the components of the control unit 15 , executes a computer-executable program.
- connection destination device 1 the following describes the active line setting of the connection destination device 1 with reference to FIG. 2 and FIG. 4 .
- the control unit 15 confirms the line status of the line (A) 11 (step S 1 in FIG. 4 ) and determines if the line (A) 11 can be made effective (step S 2 in FIG. 4 ). If it is confirmed that the line (A) 11 is effective, the control unit 15 instructs the virtual line unit 13 to set the line (A) 11 as an active line (step S 3 in FIG. 4 ).
- the control unit 15 confirms the line status of the line (B) 12 (step S 4 in FIG. 4 ) and determines if the line (B) 12 can be made effective (step S 5 in FIG. 4 ). If it is confirmed that the line (B) 12 is effective, the control unit 15 instructs the virtual line unit 13 to set the line (B) 12 as an active line (step S 6 in FIG. 4 ). After the line selection is finished, the control unit 15 instructs the virtual line unit 13 to notify an external device about the active line (step S 7 in FIG. 4 ), and completes the setting.
- control unit 15 determines that the lines cannot be set (step S 8 in FIG. 4 ) and completes the active line setting operation.
- control unit 15 confirms on which line the failure has occurred (step S 11 in FIG. 5 ). If it is determined that the line failure has occurred in the active line side (step S 12 in FIG. 15 ), the control unit 15 deactivates the active side line (line (A) 11 in this example) (step S 13 in FIG. 5 ) and activates the non-failure line (line (B) 12 in this example) (step S 14 in FIG. 5 ).
- control unit 15 instructs the virtual line unit 13 to notify the external device that the non-failure line is activated (step S 15 in FIG. 5 ) and completes the switching operation of active line setting that is performed when a line failure occurs.
- control unit 15 determines that the failure was on the non-active line (step S 16 in FIG. 5 ) and completes the switching operation of the active line setting that is performed when a line failure occurs.
- connection destination device 1 only one address is used for the connection destination device 1 in this example, and the line redundancy function can be provided without using redundant the IPsec tunnels from the connection source device 3 to the connection destination device 1 .
- connection destination device 1 is assigned, not directly to the physical lines, but to the virtual line unit 13 .
- This configuration allows the connection source device 3 to establish, communicate, or disconnect an IPsec tunnel to the connection destination device 1 with no concern about the line used by the connection destination device 1 or about the line redundancy.
- connection destination device 1 the address of the connection destination device 1 is assigned, not directly to the physical lines, but to the virtual line unit 13 .
- This configuration eliminates the need for creating IPsec tunnels and the SADs, one for each redundant lines, between the connection source device and the connection destination device, thus increasing efficiency.
- the IPsec tunnel established before the generation of the error can be used continuously.
- FIG. 6 is a block diagram showing the configuration of a connection destination device in another example of the present invention.
- the basic configuration of another example of the present invention shown in FIG. 6 is the same as that of one example of the present invention described above except further modifications to the configuration of a connection destination device 4 . That is, the connection destination device 4 comprises line (A) 41 - 1 , line (B) 41 - 2 , . . . , line (N) 41 -N, a virtual line unit 42 , and a control unit 43 , and an externally installed SAD 5 is connected to the virtual line unit 13 .
- the SAD 5 which can be installed outside the connection destination device 4 as shown in FIG. 6 , communicates with the connection destination device 4 via a general-purpose communication method such as TCP/IP (Transmission Control Protocol/Internet Protocol). This configuration minimizes the effect on the SAD 5 even when the connection destination device 4 fails.
- TCP/IP Transmission Control Protocol/Internet Protocol
- the physical lines are not limited to two, line (A) 41 - 1 and line (B) 41 - 2 , but one or more lines (N) 41 -N are installed to increase the number of physical lines to N.
- This configuration also performs the same operation, and achieves the same effect, as that of one example of the present invention.
- connection destination device 4 the lines may also be installed redundantly in a connection source device 3 .
Abstract
A control unit of a connection destination device assigns a connection destination device address to a virtual line unit. In response to an instruction from the control unit, the virtual line unit sets a line as an active line to be used for communication and, to make it appear to an external device that the connection destination device address is assigned to the line, notifies a preceding-stage device that the line has the connection destination device address. Thereafter, the line is used to establish, communicate, or disconnect an IPsec tunnel from a connection source device to the connection destination device.
Description
- This application is based upon and claims the benefit of the priority of Japanese patent application No. 2007-056502, filed on Mar. 7, 2007, the disclosure of which is incorporated herein in its entirety by reference thereto.
- The present invention relates to a communication system and an IPsec tunnel termination device, as well as an IPsec tunnel communication continuation method used for them and its program, and more particularly to a method for continuing IPsec tunnel communication when a line failure occurs in an IPsec (Internet Protocol security protocol) tunnel termination device.
-
FIG. 7 is a diagram illustrating the configuration of a typical conventional communication system in which an IPsec tunnel to a connection source device is terminated at a connection destination device. Conventionally, in the communication system in which communication is performed using IPsec tunnels and in which there are provided aconnection destination device 6, a preceding-stage device 7, and aconnection source device 8, IPsectunnels FIG. 7 . - In
FIG. 7 , theconnection destination device 6 comprises a line (A) 61, a line (B) 62, an SAD (Security Association Database)-A 63 and an SAD-B 64 in which IPsec connection (Security Association) information is stored, aswitch unit 65, and a control unit 66. Theconnection source device 8 comprises an SAD-a 81 and an SAD-b 82. - In the
connection destination device 6, address A and address B are assigned, respectively, to the line (A) 61 and line (B) 62. So, theconnection source device 8 establishes, communicates via, or disconnects the IPsectunnel - Japanese Patent Kokai Publication No. JP-P2005-341084A
- The entire disclosures of the above mentioned patent document are incorporated herein by reference thereto.
- One of the problems with the conventional communication system described above is that, when line redundancy is supported, the
connection source device 8 must set up IPsec tunnels, one for each redundant lines, because an address is assigned to each line. - Another problem with the conventional communication system is that, because IPsec tunnels are redundantly provided, both the
connection source device 8 and theconnection destination device 6 must have SADs (SAD-A 63 and SAD-B 64 inconnection destination device 6, and SAD-a 81 and SAD-b 82 in connection source device 8), one for each IPsec tunnel. - A still another problem with the conventional communication system is that the
switch unit 65 and the control unit 66 must be installed in theconnection destination device 6 to select an IPsec tunnel to be used and to control the selected IPsec tunnel. This problem applies also to theconnection source device 8. - A still another problem with the conventional communication system is that, because the IPsec tunnels are switched when a line failure occurs in the
connection destination device 6, the SADs in theconnection source device 8 and the connection destination device 6 (SAD-A 63 and SAD-a 81, SAD-B 64 and SAD-b 82) must also be switched (exchanged). This means that theconnection source device 8 and theconnection destination device 6 must synchronize with each other in switching the SADs. - When communication is performed with an IPsec tunnel established, there is a one to one correspondence between the connection source address and the connection destination address. When line redundancy is supported for increasing the reliability of a connection destination device, two or more connection destination addresses, one for each redundant line, are required. This means that there is a one to N correspondence between the connection source address and the connection destination address. As more and more connection destination lines with the redundant configuration are used, addresses are required for the connection destination lines, one for each, and the IPsec tunnels must also be provided redundantly.
- In addition, because the communication described above requires an IPsec tunnel for each redundant line, both the connection source device and the connection destination device must have SADs (redundantly), one for each connection destination line.
- Furthermore, because the IPsec tunnels are switched when a line failure occurs in the connection destination device, the SADs in the connection source device and the connection destination device must be switched (exchanged) and, so, the connection source device and the connection destination device must synchronize with each other in switching the SADs.
- It is an object of the present invention to solve the problems described above. More specifically, an object of the present invention is to provide a communication system and an IPsec tunnel termination device, as well as an IPsec tunnel communication continuation method for them and its program, for allowing a connection source device to establish, communicate, or disconnect an IPsec tunnel to a connection destination device with no concern about a line used by the connection destination device or about the line redundancy.
- A communication system according to the present invention is a communication system in which an IPsec (Internet Protocol security protocol) tunnel to a connection source device is terminated at a connection destination device, wherein
- the connection destination device comprises:
- a plurality of physical lines; and
- virtual line means that specifies one of the plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address of the connection destination device; and wherein the address of the connection destination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
- An IPsec tunnel termination device according to the present invention is an IPsec termination device that terminates an IPsec tunnel, comprising:
- a plurality of physical lines; and virtual line means that specifies one of the plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address wherein the address of the IPsec termination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
- An IPsec tunnel communication continuation method according to the present invention is an IPsec tunnel communication continuation method for use in a communication system in which an IPsec tunnel to a connection source device is terminated at a connection destination device wherein
- the connection destination device notifies to an external device that a physical line, which is specified using virtual line means that specifies one of a plurality of physical lines as an active line to be used for communication, is of a pre-assigned address of the connection destination device and
- the address of the connection destination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
- A program according to the present invention is a program which is executed in an IPsec termination device that terminates an IPsec tunnel and which is executable by a computer, the program including the process of:
- notifying to an external device that a physical line, which is specified using virtual line means that specifies one of a plurality of physical lines as an active line to be used for communication, is of a pre-assigned address of the connection destination device.
- That is, in the communication system of the present invention, redundant IPsec (Internet Protocol security protocol) tunnels are not made redundant but redundant lines are provided in the connection destination device. So, even when a line failure occurs, the IPsec tunnel can be established or disconnected or an IPsec tunnel, established before the occurrence of the line failure, can be used continuously.
- In the communication system of the present invention, the address of the connection destination device is assigned, not directly to a physical line such as line A, but to the virtual line unit so that it appears to an external device that the address is assigned to the activated line. This eliminates the need for setting multiple connection destination addresses and for creating multiple IPsec tunnels between the connection source device and the connection destination device, one for each redundant line. In addition, the communication system of the present invention eliminates the need for both the connection source device and the connection destination device to have SADs (Security Association Databases).
- In the communication system of the present invention, the active line of the connection destination device is switched to another line when a line failure occurs in the connection destination device. So, the IPsec tunnel established before the error can be used continuously.
- In the communication system of the present invention, when the redundant lines (master/slave) are used in the termination device where IPsec encryption/decryption processing is performed, the address of the termination device is assigned, not directly to the lines, but to the virtual line unit as described above, so that it appears to an external device that the address of the termination device is assigned to the active line. So, even when a line failure occurs, the IPsec tunnel can be established or disconnected or an IPsec tunnel, established before the line failure, can be used continuously.
- More specifically, in the communication system of the present invention, the connection destination device that terminates the IPsec tunnel assigns the address X of the connection destination device to the virtual line unit in response to an instruction from the control unit. In the conventional method, the address X is an address assigned to a physical line such as line A.
- In response to an instruction from the control unit, the virtual line unit specifies line A as an active line to be used for communication. To make it appear to an external device that the address X is assigned to line A, the virtual line unit notifies a preceding-stage device that line A has the address X, and the setting of the address X of the connection destination device is completed.
- In this case, the establishment, communication, or disconnection of the IPsec tunnel from the connection source device to the connection destination device is performed using line A that has the address X of the connection destination device. However, when an error is generated on line A, the control unit requests the virtual line unit to switch the active line from line A to line B and, in response, the virtual line unit sets line B as an active line to be used for communication.
- In addition, to make it appear to an external device that the address X is assigned to line B, the virtual line unit notifies the preceding-stage device that line B has the address X. Thereafter, the establishment, communication, or disconnection of the IPsec tunnel from the connection source device to the connection destination device is performed using line B that has the address X of the connection destination device.
- If it appears to the connection source device that the address X of the connection destination device is assigned to one of line A and line B of the connection destination device, the connection source device can establish, communicate, or disconnect the IPsec tunnel to the connection destination device.
- As described above, the communication system of the present invention assigns the address of the connection destination device, not directly to a physical line such as line A, but to the virtual line unit. In this way, the communication system implements line redundancy by making it appear to an external device that the address is assigned to an active line.
- In addition, even when a line failure occurs in the connection destination device, the connection source device can establish or disconnect the IPsec tunnel or can continue the communication where the IPsec tunnel, established before the line failure was generated, is used.
- The meritorious effects of the present invention are summarized as follows.
- The present invention, which has the configuration described above and performs the operation as described above, achieves an effect that the connection source device can establish, communicate, or disconnect the IPsec tunnel to the connection destination device with no concern for the line used in the connection destination device or for line redundancy.
-
FIG. 1 is a block diagram showing the configuration of a communication system in one example of the present invention. -
FIG. 2 is a diagram showing the operation of a connection destination device in one example of the present invention. -
FIG. 3 is a diagram showing the operation of the connection destination device in one example of the present invention. -
FIG. 4 is a flowchart showing the active line setting operation of the connection destination device in one example of the present invention. -
FIG. 5 is a flowchart showing the active line setting switching operation performed by the connection destination device when a line failure occurs in one example of the present invention. -
FIG. 6 is a block diagram showing the configuration of a connection destination device in another example of the present invention. -
FIG. 7 is a block diagram showing the configuration of a communication system of a related art. - Embodiments of the present invention will be described more in detail with reference to the drawings.
-
FIG. 1 is a block diagram showing the configuration of a communication system in one example of the present invention. Referring toFIG. 1 , the communication system in one example of the present invention comprises aconnection destination device 1, a preceding-stage device 2, and aconnection source device 3. - The
connection destination device 1 comprises a line (A) 11, a line (B) 12, avirtual line unit 13, a SAD (Security Association Database) 14 in which IPsec connection (Security Association) information is stored, and acontrol unit 15. Although the line (A) 11 and the line (B) 12 are physical lines, the addresses are not assigned directly to those lines in theconnection destination device 1. The address of theconnection destination device 1 is assigned to thevirtual line unit 13. - The
virtual line unit 13 has an interface (I/F) not only with the line (A) 11, line (B) 12, andcontrol unit 15, but also with theSAD 14. In response to an instruction from thecontrol unit 15, thevirtual line unit 13 specifies the physical line (A) 11 or physical line (B) 12 as an active line that will be used for communication. In addition, to make it appear to an external device that the address X is assigned to the line (A) 11 or the line (B) 12, thevirtual line unit 13 has the function to notify the preceding-stage device 2 that the line (A) 11 or the line (B) 12 has the address X. - The
SAD 14, a Security Association Database for the IPsec (Internet Protocol security protocol), identifies an address, assigned to thevirtual line unit 13, as the connection destination device address. - The
control unit 15 has the function to assign an address to thevirtual line unit 13 and to specify which line, line (A) or line (B) 12, thevirtual line unit 13 is to activate. -
FIG. 2 andFIG. 3 are diagrams showing the operation of theconnection destination device 1 in one example of the present invention.FIG. 2 shows the operation in which the line (A) 11 is set as an active line, andFIG. 3 shows the operation in which the active line is switched from the line (A) 11 to the line (B) 12. The following describes the operation of theconnection destination device 1 in one example of the present invention with reference toFIG. 1 toFIG. 3 . - The
control unit 15 assigns a connection destination device address to thevirtual line unit 13. In response to the instruction from thecontrol unit 15, thevirtual line unit 13 sets the line (A) 11 as an active line that will be used for communication and, to make it appear to an external device that the connection destination device address is assigned to the line (A) 11, notifies the preceding-stage device 2 that the line (A) 11 is the connection destination device address. Thereafter, the line (A) 11 is used to establish, communicate, and disconnect anIPsec tunnel 16 from theconnection source device 3 to theconnection destination device 1. - On the other hand, when a failure is detected on the line (A) 11, the
control unit 15 executes a switching request to thevirtual line unit 13 to switch the active line from the line (A) 11 to the line (B) 12. - In response to the switching request from the
control unit 15, thevirtual line unit 13 sets the line (B) 12 as an active line. To make it appear to an external device that the connection destination device address is assigned to the line (B) 12, thevirtual line unit 13 notifies the preceding-stage device 2 that the line (B) 12 is the connection destination device address. Thereafter, the line (B) 12 is used to establish, communicate, and disconnect anIPsec tunnel 16 from theconnection source device 3 to theconnection destination device 1. -
FIG. 4 is a flowchart showing the active line setting operation of theconnection destination device 1 in one example of the present invention, andFIG. 5 is a flowchart showing the active line setting switching operation of theconnection destination device 1 in one example of the present invention when a line failure occurs. The following describes the operation of theconnection destination device 1 in one example of the present invention with reference toFIG. 1 toFIG. 5 . The processing shown inFIG. 4 andFIG. 5 is implemented when the CPU (central processing unit) (not shown), one of the components of thecontrol unit 15, executes a computer-executable program. - First, the following describes the active line setting of the
connection destination device 1 with reference toFIG. 2 andFIG. 4 . - When the active line setting operation is started, the
control unit 15 confirms the line status of the line (A) 11 (step S1 inFIG. 4 ) and determines if the line (A) 11 can be made effective (step S2 inFIG. 4 ). If it is confirmed that the line (A) 11 is effective, thecontrol unit 15 instructs thevirtual line unit 13 to set the line (A) 11 as an active line (step S3 inFIG. 4 ). - If the line (A) 11 is not effective, the
control unit 15 confirms the line status of the line (B) 12 (step S4 inFIG. 4 ) and determines if the line (B) 12 can be made effective (step S5 inFIG. 4 ). If it is confirmed that the line (B) 12 is effective, thecontrol unit 15 instructs thevirtual line unit 13 to set the line (B) 12 as an active line (step S6 inFIG. 4 ). After the line selection is finished, thecontrol unit 15 instructs thevirtual line unit 13 to notify an external device about the active line (step S7 inFIG. 4 ), and completes the setting. - If it is determined that neither the line (A) 11 nor the line (B) 12 is effective, the
control unit 15 determines that the lines cannot be set (step S8 inFIG. 4 ) and completes the active line setting operation. - Next, with reference to
FIG. 3 andFIG. 5 , the following describes the switching operation of active line setting by theconnection destination device 1 when a line failure occurs. - If a notification of the occurrence of a line failure is received, the
control unit 15 confirms on which line the failure has occurred (step S11 inFIG. 5 ). If it is determined that the line failure has occurred in the active line side (step S12 inFIG. 15 ), thecontrol unit 15 deactivates the active side line (line (A) 11 in this example) (step S13 inFIG. 5 ) and activates the non-failure line (line (B) 12 in this example) (step S14 inFIG. 5 ). - After that, the
control unit 15 instructs thevirtual line unit 13 to notify the external device that the non-failure line is activated (step S15 inFIG. 5 ) and completes the switching operation of active line setting that is performed when a line failure occurs. - If the active line was not subjected to a failure, the
control unit 15 determines that the failure was on the non-active line (step S16 inFIG. 5 ) and completes the switching operation of the active line setting that is performed when a line failure occurs. - As described above, only one address is used for the
connection destination device 1 in this example, and the line redundancy function can be provided without using redundant the IPsec tunnels from theconnection source device 3 to theconnection destination device 1. - In this example, the address of the
connection destination device 1 is assigned, not directly to the physical lines, but to thevirtual line unit 13. This configuration allows theconnection source device 3 to establish, communicate, or disconnect an IPsec tunnel to theconnection destination device 1 with no concern about the line used by theconnection destination device 1 or about the line redundancy. - In this example, the address of the
connection destination device 1 is assigned, not directly to the physical lines, but to thevirtual line unit 13. This configuration eliminates the need for creating IPsec tunnels and the SADs, one for each redundant lines, between the connection source device and the connection destination device, thus increasing efficiency. - In this example, because the active line of the
connection destination device 1 is switched when a line failure occurs in theconnection destination device 1, the IPsec tunnel established before the generation of the error can be used continuously. -
FIG. 6 is a block diagram showing the configuration of a connection destination device in another example of the present invention. The basic configuration of another example of the present invention shown inFIG. 6 is the same as that of one example of the present invention described above except further modifications to the configuration of aconnection destination device 4. That is, theconnection destination device 4 comprises line (A) 41-1, line (B) 41-2, . . . , line (N) 41-N, avirtual line unit 42, and a control unit 43, and an externally installedSAD 5 is connected to thevirtual line unit 13. - The
SAD 5, which can be installed outside theconnection destination device 4 as shown inFIG. 6 , communicates with theconnection destination device 4 via a general-purpose communication method such as TCP/IP (Transmission Control Protocol/Internet Protocol). This configuration minimizes the effect on theSAD 5 even when theconnection destination device 4 fails. - In this example, the physical lines are not limited to two, line (A) 41-1 and line (B) 41-2, but one or more lines (N) 41-N are installed to increase the number of physical lines to N. This configuration also performs the same operation, and achieves the same effect, as that of one example of the present invention.
- In addition, though installed redundantly in the
connection destination device 4 in this example, the lines may also be installed redundantly in aconnection source device 3. - It should be noted that other objects, features and aspects of the present invention will become apparent in the entire disclosure and that modifications may be done without departing the gist and scope of the present invention as disclosed herein and claimed as appended herewith.
- Also it should be noted that any combination of the disclosed and/or claimed elements, matters and/or items may fall under the modifications aforementioned.
Claims (13)
1. A communication system in which an IPsec (Internet Protocol security protocol) tunnel to a connection source device is terminated at a connection destination device, wherein said connection destination device comprises:
a plurality of physical lines; and
virtual line means that specifies one of said plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address of said connection destination device;
the address of said connection destination device being assigned to said virtual line means to make it appear to said external device that the address is assigned to the active line.
2. The communication system according to claim 1 , wherein said virtual line means switches the active line to another physical line when a line failure occurs in said connection destination device.
3. The communication system according to claim 1 , wherein said connection destination device further comprises an SAD(Security Association Database) which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored.
4. The communication system according to claim 1 , wherein an SAD which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored is provided outside said connection destination device.
5. An IPsec termination device that terminates an IPsec tunnel, comprising:
a plurality of physical lines; and
virtual line means that specifies one of said plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address; wherein
the address of said IPsec termination device is assigned to said virtual line means to make it appear to said external device that the address is assigned to the active line.
6. The IPsec termination device according to claim 5 , wherein said virtual line means switches the active line to another physical line when a line failure occurs in said connection destination device.
7. The IPsec termination device according to claim 5 , further comprising a SAD which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored.
8. The IPsec termination device according to claim 5 , wherein a SAD which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored is provided outside said IPsec termination device.
9. An IPsec tunnel communication continuation method for use in a communication system in which an IPsec tunnel to a connection source device is terminated at a connection destination device, said method comprising:
notifying by said connection destination device to an external device that a physical line, which is specified using virtual line means that specifies one of a plurality of physical lines as an active line to be used for communication, is of a pre-assigned address of said connection destination device; and
assigning the address of said connection destination device to said virtual line means to make it appear to said external device that the address is assigned to the active line.
10. The IPsec tunnel communication continuation method according to claim 9 , wherein said connection destination device switches the active line to another physical line by means of said virtual line means when a line failure occurs in said connection destination device.
11. The IPsec tunnel communication continuation method according to claim 9 , wherein a SAD which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored is provided in said connection destination device.
12. The IPsec tunnel communication continuation method according to claim 9 , wherein a SAD which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored is provided outside said connection destination device.
13. A program which is executed in an IPsec termination device that terminates an IPsec tunnel and which is executable by a computer, said program including the process of:
notifying to an external device that a physical line, which is specified using virtual line means that specifies one of a plurality of physical lines as an active line to be used for communication, is of a pre-assigned address of said connection destination device.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2007056502A JP2008219679A (en) | 2007-03-07 | 2007-03-07 | COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATING DEVICE AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED THEREFOR |
JP2007-056502 | 2007-03-07 |
Publications (1)
Publication Number | Publication Date |
---|---|
US20080222716A1 true US20080222716A1 (en) | 2008-09-11 |
Family
ID=39742986
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/042,752 Abandoned US20080222716A1 (en) | 2007-03-07 | 2008-03-05 | COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM |
Country Status (3)
Country | Link |
---|---|
US (1) | US20080222716A1 (en) |
EP (1) | EP2012492A1 (en) |
JP (1) | JP2008219679A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110228935A1 (en) * | 2010-03-17 | 2011-09-22 | Fujitsu Limited | Communication apparatus, communication method, and communication system |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP5573188B2 (en) * | 2010-01-20 | 2014-08-20 | 富士通株式会社 | Communication system and control method |
JP2012070077A (en) * | 2010-09-21 | 2012-04-05 | Nec Infrontia Corp | Communication system, information processing device, and information processing method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030189898A1 (en) * | 2002-04-04 | 2003-10-09 | Frick John Kevin | Methods and systems for providing redundant connectivity across a network using a tunneling protocol |
US20040010583A1 (en) * | 2002-07-10 | 2004-01-15 | Nortel Networks Limited | Method and apparatus for defining failover events in a network device |
US6915436B1 (en) * | 2000-08-02 | 2005-07-05 | International Business Machines Corporation | System and method to verify availability of a back-up secure tunnel |
US6931529B2 (en) * | 2001-01-05 | 2005-08-16 | International Business Machines Corporation | Establishing consistent, end-to-end protection for a user datagram |
US7620041B2 (en) * | 2004-04-15 | 2009-11-17 | Alcatel-Lucent Usa Inc. | Authentication mechanisms for call control message integrity and origin verification |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007056502A (en) | 2005-08-23 | 2007-03-08 | Shin Caterpillar Mitsubishi Ltd | Cab reinforcing member, cab, and work machine |
-
2007
- 2007-03-07 JP JP2007056502A patent/JP2008219679A/en active Pending
-
2008
- 2008-02-28 EP EP20080102133 patent/EP2012492A1/en not_active Withdrawn
- 2008-03-05 US US12/042,752 patent/US20080222716A1/en not_active Abandoned
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6915436B1 (en) * | 2000-08-02 | 2005-07-05 | International Business Machines Corporation | System and method to verify availability of a back-up secure tunnel |
US6931529B2 (en) * | 2001-01-05 | 2005-08-16 | International Business Machines Corporation | Establishing consistent, end-to-end protection for a user datagram |
US20030189898A1 (en) * | 2002-04-04 | 2003-10-09 | Frick John Kevin | Methods and systems for providing redundant connectivity across a network using a tunneling protocol |
US20040010583A1 (en) * | 2002-07-10 | 2004-01-15 | Nortel Networks Limited | Method and apparatus for defining failover events in a network device |
US7620041B2 (en) * | 2004-04-15 | 2009-11-17 | Alcatel-Lucent Usa Inc. | Authentication mechanisms for call control message integrity and origin verification |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110228935A1 (en) * | 2010-03-17 | 2011-09-22 | Fujitsu Limited | Communication apparatus, communication method, and communication system |
US8631234B2 (en) | 2010-03-17 | 2014-01-14 | Fujitsu Limited | Apparatus and method for establishing encryption information common to a plurality of communication paths coupling two apparatuses |
Also Published As
Publication number | Publication date |
---|---|
JP2008219679A (en) | 2008-09-18 |
EP2012492A1 (en) | 2009-01-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8462767B2 (en) | Internet protocol compliant private branch electronic exchange and a method for redundantly configuring terminal interfaces | |
US6594776B1 (en) | Mechanism to clear MAC address from Ethernet switch address table to enable network link fail-over across two network segments | |
JP4974964B2 (en) | Intelligent failover in a load-balanced network environment | |
WO2017219779A1 (en) | Device active/standby switchover method and apparatus based on link protocol, and storage medium | |
JP2010045760A (en) | Connection recovery device for redundant system, method and processing program | |
US7756012B2 (en) | Intelligent failover in a load-balanced network environment | |
CN111585835B (en) | Control method and device for out-of-band management system and storage medium | |
US20080222716A1 (en) | COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM | |
JP7161008B2 (en) | Application redundancy management system and application redundancy management method | |
CN100362484C (en) | Method of multi-computer back-up | |
US8588107B2 (en) | Returning domain identifications without reconfiguration | |
JP2504366B2 (en) | Fault tolerant system | |
JP2009003491A (en) | Server switching method in cluster system | |
KR20180099143A (en) | Apparatus and method for recovering tcp-session | |
EP1700433A1 (en) | Method of automatically transferring router functionality | |
US9083618B2 (en) | Centralized backup system and backup method for an homogeneous real-time system at different locations | |
CN110752955A (en) | Seat invariant fault migration system and method | |
JP3144346B2 (en) | Spare switching system for communication processing equipment | |
JPH1141246A (en) | Duplex system for network connection device | |
JP2019045957A (en) | Transmission/reception system, control method of transmission/reception system, and relay device | |
JPH09274573A (en) | Backup system | |
US10652203B2 (en) | Network system, communication control device and address setting method | |
CN115701031A (en) | Service processing method and related device | |
CN115086579A (en) | Video matrix redundancy backup method and device, terminal equipment and storage medium | |
CN117857317A (en) | Redundant double-network port based on encryption network, configuration method and encryption method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: NEC CORPORATION, TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MOMOI, YASUNORI;REEL/FRAME:020603/0981 Effective date: 20080221 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |